The present invention generally relates to network monitoring techniques. More particularly, the invention provides a method and system for tracking machines on a network using fingerprinting technology. Merely by way of example, the invention has been applied to a computer network environment. But it would be recognized that the invention has a much broader range of applicability. For example, the invention can be applied to a firewall, an intrusion detection/prevention system, a server, a content filter device, an anti-virus process, an anti-SPAM device, a web proxy content filter, spyware, web security process, electronic mail filter, any combination of these, and others.
Telecommunication techniques have been around for numerous years. In the 1990s, another significant development in the telecommunication industry occurred. People began communicating to each other by way of computers, which are coupled to the telephone lines or telephone network. These computers or workstations coupled to each other can transmit many types of information from one geographical location to another geographical location. This information can be in the form of voice, video, and data, which have been commonly termed as “multimedia.” Information transmitted over the Internet or Internet “traffic” has increased dramatically in recent years. Information is now transmitted through networks, wide-area networks, telephone systems, and the Internet. This results in rapid transfer of information such as computer data, voice or other multimedia information.
Although the telecommunication industry has achieved major successes, certain drawbacks have also grown with wide spread communication networks. As merely an example, negative effects include an actor (initiator) connecting to another actor (acceptor) in a manner not acceptable to the acceptor. The inability for the acceptor to assess the risk of allowing connection from any initiator means is a problem for efficient resource management and protection of assets.
As the size and speed of these networks increase, similar growth of malicious events using telecommunications techniques: stalking, cyber-stalking, harassment, hacking, spam, computer-virus outbreaks, Denial of Service attacks, extortion, fraudulent behaviors (e.g., such as fraudulent websites, scams, 419 spam, so-called phishing) have also continued to increase. The goal of the malicious entity (Offender) is to inflict damage at minimum risk of detection or accountability. In the current realm of internet malicious activity, the offenders make use of anonymizing elements to achieve the latter. A broad range of options are available to the offender because of the current rate of compromised hosts (“Bot”) on the internet.
Various methods have been proposed to detect compromised hosts. For example, prior work has been performed and published that addresses the concept of machine-based fingerprinting. For example, see
http://www.cse.ucsd.edu/users/tkohno/papers/PDF/KoBrC105PDF-lowres.pdf
These and other conventional methods have certain limitations that are described throughout the present specification and more particularly below.
From the above, it is seen that a technique for improving security over a wide area network is highly desirable.